VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47309

CVE-2026-47309

Description

Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Uncontrolled recursion in Escargot via oversized serialized data payloads causes denial of service (stack exhaustion).

Vulnerability

An uncontrolled recursion vulnerability exists in Samsung Open Source Escargot at commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The bug occurs during deserialization of oversized serialized data payloads, where the recursion depth is not bounded by the input size, leading to stack exhaustion. The code path is reachable when Escargot processes serialized data that exceeds internal size thresholds [1].

Exploitation

An attacker can trigger the vulnerability by sending a crafted, excessively large serialized payload to a system that uses Escargot to parse data. No authentication or special privileges are required if the parser is exposed to unauthenticated input. The attacker prepares a payload that causes uncontrolled recursive calls during deserialization, resulting in a stack overflow and process crash.

Impact

Successful exploitation causes a denial of service due to stack exhaustion, crashing the Escargot process. There is no indication of information disclosure, file modification, or remote code execution. The impact is limited to availability (loss of service).

Mitigation

The issue is addressed in pull request #1565 (Fix crash issues) on the Escargot GitHub repository [1]. The fix introduces bounds checking to limit recursion depth during deserialization. Users should update to a version that includes this commit. If an upgrade is not immediately possible, avoid processing serialized data from untrusted sources or enforce size limits on input payloads.

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = 590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Uncontrolled recursion in the Escargot JavaScript engine's serialization/deserialization logic allows a deeply nested or oversized payload to exhaust stack space."

Attack vector

An attacker supplies a crafted serialized data payload containing deeply nested structures to the Escargot engine. The deserialization routine recursively processes each nesting level without depth limiting, causing a stack overflow. The attack requires no authentication but needs user interaction (e.g., opening a malicious file or visiting a page that triggers deserialization). The CVSS vector indicates local access with low complexity [CWE-674].

Affected code

The vulnerability resides in the serialization/deserialization logic of the Escargot JavaScript engine at commit `590345cc6258317c5da850d846ce6baaf2afc2d3`. The patch updates the vendor test submodule, but the specific source files within the engine that handle recursive deserialization are not shown in the provided diff.

What the fix does

The patch updates the vendor test submodule commit from `71d8a3453148662bcbde7cd8180aaea7bf29ae32` to `e17c4680af0a133981ab19aa6ea0b67bd705f66c` [patch_id=600096]. The advisory does not show the source-level changes within the submodule, so the exact fix mechanism (e.g., adding a recursion depth counter or iterative parsing) is not visible from this diff alone. The change likely introduces depth validation or iterative processing in the deserialization path to prevent uncontrolled recursion.

Preconditions

  • inputAttacker must supply a crafted serialized data payload with excessive nesting depth.
  • authNo authentication required; the vulnerability can be triggered by any user who can provide input to the deserialization routine.
  • networkLocal access is sufficient (AV:L in CVSS), though the payload could be delivered via a file or local input.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.